[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1858415] Re: in tcp_emu function has OOB bug
From: |
r1ng0hacking |
Subject: |
[Bug 1858415] Re: in tcp_emu function has OOB bug |
Date: |
Wed, 10 Jun 2020 12:12:32 -0000 |
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1858415
Title:
in tcp_emu function has OOB bug
Status in QEMU:
Fix Released
Bug description:
qemu version: 4.1.0
```c
int tcp_emu(struct socket *so, struct mbuf *m){
............
case EMU_REALAUDIO:
............
while (bptr < m->m_data + m->m_len) {
case 6:
............
lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
............
*(uint8_t *)bptr++ = (p >> 8) & 0xff;
*(uint8_t *)bptr = p & 0xff;
............
}
............
............
}
```
bptr)[1] and bptr++ ,may make bptr == m->m_data + m->m_len,and cause
OOB(out of bounds.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1858415/+subscriptions
- [Bug 1858415] Re: in tcp_emu function has OOB bug,
r1ng0hacking <=